cap_prctl - Linux


Overview

cap_prctl is a command-line utility in Linux that allows users with CAP_SETPCAP privilege to manipulate the capabilities of the current process or threads. It is used to change the effective and inherited capabilities of the process, enabling fine-grained control over the permissions granted to specific programs.

Syntax

cap_prctl [ACTION] [CAPABILITY] [THREAD_FLAG] [PID]

where:

  • ACTION specifies the operation to perform.
  • CAPABILITY is the capability to be modified.
  • THREAD_FLAG applies the changes only to specific threads.
  • PID is the process ID (optional).

Options/Flags

  • -a (ACTION): Add the capability to the set.
  • -d (ACTION): Drop the capability from the set.
  • -l (ACTION): List the effective and inheritable capabilities of the process.
  • -r (THREAD_FLAG): Apply to all threads of the process.
  • -e (THREAD_FLAG): Apply only to the calling thread.
  • -p (THREAD_FLAG): Specify the PID of the thread to affect.

Examples

  • Add CAP_SYS_ADMIN to the process:
cap_prctl -a CAP_SYS_ADMIN
  • List the effective capabilities of the process:
cap_prctl -l
  • Drop CAP_DAC_READ_SEARCH from all threads:
cap_prctl -dr CAP_DAC_READ_SEARCH -r
  • Apply capabilities to a specific thread of another process:
cap_prctl -a CAP_NET_ADMIN -p 1234

Common Issues

  • Permission Denied: The user must have CAP_SETPCAP privilege to use cap_prctl.
  • Invalid Capability: The specified capability is not a valid capability.
  • Invalid Thread: The specified thread does not exist.

Integration

cap_prctl can be integrated with other commands to perform advanced tasks:

  • setuid with capabilities: Create a program with reduced privileges that elevates to a specific set of capabilities when needed.
  • Container Security: Set specific capabilities for containers to restrict their actions and enhance security.
  • SELinux: Modify capabilities in SELinux environments to define fine-grained access controls.

Related Commands

  • capabilities
  • lscap
  • setcap